Use OpenSSL to Generate a PKCS12 File Before You Begin • OpenSSL is one tool that can be used to make the PKCS12 file in the proper format for loading in the HDS Setup Tool. There are other ways to do this, and we do not support or promote one way over another. • If you do choose to use OpenSSL, we are providing this procedure as a guideline to help you create a file that meets the X.509 certificate requirements in Complete the Prerequisites for Hybrid Data Security. Understand those requirements before you continue. • Install OpenSSL in a supported environment. See https://www.openssl.org for the software and documentation. • Create a private key. • Start this procedure when you receive the server certificate from your Certificate Authority (CA). Procedure Step 1 When you receive the server certificate from your CA, save it as hdsnode.pem. Step 2 Display the certificate as text, and verify the details. openssl x509 -text -noout -in hdsnode.pem Step 3 Use a text editor to create a certificate bundle file called hdsnode-bundle.pem. The bundle file must include the server certificate, any intermediate CA certificates, and the root CA certificates, in the format below: -----BEGIN CERTIFICATE----- ### Server certificate. ### -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ### Intermediate CA certificate. ### -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ### Root CA certificate. ### -----END CERTIFICATE----- Step 4 Create the .p12 file with the friendly name kms-private-key. openssl pkcs12 -export -inkey hdsnode.key -in hdsnode-bundle.pem -name kms-private-key -caname kms-private-key -out hdsnode.p12 Deployment Guide for Hybrid Data Security 1